Compliance
Compliance
Compliance
CMMC and Contract Inventories
%20(9).png)
One of the new updates to the government’s systems with the roll out of CMMC is the CMMC Unique Identifier (UID). This is a ten-character alphanumeric code assigned to each system that has undergone a CMMC assessment and serves as the primary tracking mechanism in SPRS. The government is requiring all contractors to provide UIDs for all information systems that process, store, and transmit FCI or CUI during the contract. Each UID is tied to a specific assessment and system scope, reinforcing how the government is closing loopholes and enforcing accountability by linking contracts to the UID which holds the contract data.
Steps to CMMC Compliance
- List active and upcoming contracts
- Identify where CUI/FCI is stored, accessed, marked, or shared.
- Classify each contract’s risk (low, medium, high)
- Determine audit timelines based on contract expiration or award
- Scope systems tied to each contract
- Bring systems into compliance
Build Your Contract Inventory
Start by listing all active and upcoming contracts in a spreadsheet or contract management tool, including customers such as the Department of War (DoW) and prime contractors. For each contract, map how Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is handled: identify the type of data involved, where it is stored, who has access to it, how it is marked, and whether it is shared with vendors or third parties.
Classifying CMMC Risk
By assessing risk, companies can determine the systems that require compliance and auditing:
Low Risk: Contract likely lacks CUI or originates from an organization not pushing CMMC requirements.
Medium Risk: Contract involves CUI but is near completion or not scheduled for renewal—business loss from non-compliance is limited.
High Risk: Contract has significant CUI exposure—CMMC compliance is almost certain. If the company is not compliant, it will not be eligible to receive the award.
Determining Audit Timelines
If your contracts require Level 2 or Level 3 the process of becoming compliant is time consuming. Planning should be tied directly to contract expiration and renewal dates. Companies need to ensure compliance is documented before a contract can be awarded or extended.
Contracting officers shall not exercise an option period or extend the period of performance on a contract, task order, or delivery order, unless the contract has a current (i.e., not more than 3 years old) CMMC certificate at the level required by the contract, task order, or delivery order.”
DFARS 204.7501(b)
By aligning audits with these milestones, businesses reduce the risk of missing renewals or being disqualified from new opportunities.
Scoping Systems
Use the CMMC Level 2 Scoping Guide to identify all people, technologies, and facilities that process, store, or transmit Controlled Unclassified Information (CUI). This step ensures that only the correct assets are included in your CMMC boundary.
Within this exercise, classify assets into the following categories:
- CUI Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
- Out-of-Scope Asset
Using the results of this classification, you can define the official CMMC scope for contracts with CMMC requirements. A well-defined scope enables you to create a targeted plan and implementation roadmap to reach CMMC readiness, focusing only on what matters for certification.
A common challenge we see with companies who don’t understand their contract scope is that they either under scope or over scope their CMMC environment leading to inflated costs or lost contracts. To schedule a complimentary in-depth consulting session, reach out to Atomus.
.avif)
.webp)
.webp){kind=icon}
.avif)
